White-box implementation

ABSTRACT

A system for enabling a device to compute an outcome of an exponentiation C x  having a base C and/or an exponent x, the system comprising means for establishing a plurality of values λ i ; means for establishing a plurality of values ω i  satisfying ω i =C λi ; means for establishing a plurality of values φi satisfying that the sum of the values λ iφi  equals x; and an output for providing the device with the plurality of values φ i . A device computes an outcome of the exponentiation C x . The device comprises means for computing a product of the values ω i  to the power of φ i . The device is arranged for using the product as a result of the exponentiation C x .

FIELD OF THE INVENTION

The invention relates to a method of enabling an entity to compute anoutcome of an exponentiation.

BACKGROUND OF THE INVENTION

The Internet provides users with convenient access to digital content.Because of the flexibility with which content can be made available toconsumers via the Internet, a current trend is to equip consumerelectronics (CE) products with the capability to access the Internet toobtain media content to be rendered. Such CE products include, but arenot limited to, digital set top boxes, digital TVs, game consoles, PCsand, increasingly, hand-held devices such as PDAs, mobile phones, andmobile storage and rendering devices such as portable MP3 players. TheInternet is not the only medium for distributing digital content. Alsoother digital content distribution channels are widely used, for exampleusing digital video broadcast (DVB) and digital audio broadcast (DAB)via satellite, terrestrial air, and/or cable networks. The use of theInternet and other digital distribution media for copyrighted contentcreates the challenge to secure the interests of the content provider.In particular it is desirable to have technological means available towarrant the copyrights and business models of the content providers.Increasingly, CE platforms are operated using a processor loaded withsuitable software. Such software may include the main part offunctionality for rendering (playback) of digital content, such as audioand/or video. Control of the playback software is one way to enforce theinterests of the content owner including the terms and conditions underwhich the content may be used. Where traditionally many CE platforms(with the exception of a PC and PDA) used to be closed, nowadays moreand more platforms at least partially are open and allow computerprogrammers to inspect the software and to make modifications to thesoftware. In such open systems, including personal computers, some usersmay be assumed to have complete control over the hardware and softwarethat provides access to the content. Also, some users may have a largeamount of time and resources to attack and bypass any content protectionmechanisms. As a consequence, content providers must deliver content tolegitimate users across a hostile network to a community where not allusers or devices can be trusted.

Typically, digital rights management systems use an encryption techniquebased on block ciphers that process the data stream according to a key.Such content may be decrypted by the receiver using either the same keyor another key. The implementation of such ciphers in the consumerdevices may be obfuscated to make it more difficult for an attacker tofind out the value of the key. Examples of ciphers commonly in use formany different kinds of applications are DES, AES, RSA, and the methoddisclosed in WO9967918.

A software application that has been designed such that particularcrucial data is hidden from such users is called a white-boximplementation. In particular, a white-box implementation may bedesigned in such a way that it is made more difficult for an attacker tolearn about the value of cryptographic keys used in the softwareapplication. Typically, white-box implementations also try to hide thedata such as cryptographic keys from users having full control of theexecution environment, for example by using a debugger.

In relation to key handling, for playback a media player has to retrievea decryption key from a license database. It then has to store thisdecryption key somewhere in memory for the decryption of the encryptedcontent. This leaves an attacker two options for an attack on the key.Firstly, reverse engineering of the license database access functioncould result in black box software (i.e., the attacker does not have tounderstand the internal workings of the software function), allowing theattacker to retrieve asset keys from all license databases. Secondly, byobservation of the accesses to memory during content decryption, it ispossible to retrieve the asset key. In both cases the key is consideredto be compromised.

“White-Box Cryptography and an AES Implementation”, by Stanley Chow,Philip Eisen, Harold Johnson, and Paul C. Van Oorschot, in SelectedAreas in Cryptography: 9th Annual International Workshop, SAC 2002, St.John's, Newfoundland, Canada, Aug. 15-16, 2002, and “A White-Box DESImplementation for DRM Applications”, by Stanley Chow, Phil Eisen,Harold Johnson, and Paul C. van Oorschot, in Digital Rights Management:ACM CCS-9 Workshop, DRM 2002, Washington, D.C., USA, Nov. 18, 2002(hereinafter, these two publications will be referred to collectively as“Chow”), disclose methods with the intend to hide the key by acombination of encoding its tables with random bijections representingcompositions rather than individual steps, and extending thecryptographic boundary by pushing it out further into the containingapplication.

The techniques disclosed in Chow make it possible to performcryptographic operations in software without exposing the cryptographickey to a person who can fully debug the software. In the approach ofChow, the cryptographic key is hidden by using look-up tables ratherthan mathematical operations, with the result that the operands of themathematical operations do not have to be stored as such. These tablesmay be encoded using random bijections to further obfuscate them. Theencoding of one table may be undone by the encoding of another table, ormay be undone elsewhere in the program. However, not all operations areeasily represented by means of a look-up table.

SUMMARY OF THE INVENTION

It would be advantageous to be able to create a white-box implementationfor a wider range of algorithms. To better address this concern, in afirst aspect of the invention a method is presented for enabling adevice to compute an outcome of an exponentiation. C^(x) having a base Cand an exponent x, the method comprising

establishing (102) the base C of the exponentiation and the exponent xof the exponentiation;

establishing (104) a plurality of values λ_(i), for i=1, 2, . . . , r ,wherein r is an integer and r≧2;

establishing (106) a plurality of values λ_(i), for i=1, 2, . . . , r,satisfying ω_(i)=C^(λ) ^(i) ;

establishing (108) a plurality of values φ_(i), for i=1, 2, . . . r,satisfying

${x = {\sum\limits_{i = 1}^{r}\; {\lambda_{i}\phi_{i}}}};$

providing (110) the device with information indicative of the pluralityof values ω_(i);

providing (112) the device with information indicative of the pluralityof values φ_(i);

computing (114), by means of the device,

$P = {\prod\limits_{i = 1}^{r}\; {\omega_{i}^{\phi_{i}}.}}$

Because P=C^(x), the method allows enabling a device to compute anoutcome of an exponentiation C^(x) without enabling the device to obtainknowledge of a base C of the exponentiation and/or an exponent x of theexponentiation. This allows to perform an exponentiation on an untrustedentity (the device) without exposing the base or the exponent to anattacker who has the capability to fully inspect or debug the entity.The base and the exponent are not exposed to the attacker, because thebase and the exponent are never provided to the entity in plain format.Although the information provided to the entity is sufficient to computethe outcome of the exponentiation, it is difficult or impossible tocompute the base and/or exponent from this information. The entity needsonly to be provided with the values ω_(i) and φ_(i). These values aresufficient to compute the result of the exponentiation. However, fromthese values it is difficult to learn the value of C, because to findout C, one would need to know the values of ω_(i) and λ_(i). It is alsodifficult to learn the value of x, because to find out x, one would needto know the values of φ_(i) and λ_(i). Consequently, if the plurality ofvalues λ_(i) is kept secret, it is difficult to find either C or x. Evenif C would be known by an attacker, it is still difficult to find outabout x, because for this the attacker would need to compute x=^(C)log Por λ_(i)=^(C)logω_(i) for i=1, 2, . . . , r, and, depending on how theparameters and the algebraic structures are selected, it is believedthat these logarithms are difficult to compute. For example, ^(C)log Pis considered difficult to compute if C is the generator of a cyclicgroup of high order. The exponentiation can be used, for example, incryptographic algorithms including encryption/decryption algorithms anddigital signature creation and/or validation.

In an embodiment, wherein the step of establishing a plurality of valuesλ_(i) comprises establishing a set V of values to be used as theexponent x and establishing a plurality of sets of values W₁, W₂ . . . ,W_(r) such that

$V \subseteq {\left\{ {\sum\limits_{i = 1}^{r}\; {\lambda_{i} \cdot w_{i}}} \middle| {\left( {w_{1},w_{2},\ldots \mspace{14mu},w_{r}} \right) \in {W_{1} \times W_{2} \times \ldots \times W_{r}}} \right\}.}$

The step of establishing the plurality of values φ_(i) comprisesselecting the values φ_(i) such that φ_(i)∈W_(i), for i=1, 2, . . . , r.The method comprises performing the steps of establishing the pluralityof values φ_(i), providing the device with the information indicative ofthe plurality of values φ_(i), and computing

$P = {\prod\limits_{i = 1}^{r}\; \omega_{i}^{\phi_{i}}}$

by means of the device, in respect of a plurality of different valuesx∈V.

This embodiment allows to efficiently use different values of x in anefficient way with the same base value C. The way in which the valuesλ_(i) are selected in this embodiment allows any exponent x from the setV to be used without changing the λ_(i). Consequently, the values ofω_(i) remain unchanged, and it is not necessary to re-compute them. Thissaves computational resources.

In a particularly efficient embodiment, W_(i)={0,1}, for i=1, 2, . . . ,r. Such a binary representation allows for an efficient and easyimplementation. It allows the values of φ_(i)∈W_(i) to be determinedefficiently.

Other advantageous aspects of the invention are defined in theindependent claims. The dependent claims further define advantageousembodiments.

BRIEF DESCRIPTION OF THE DRAWINGS

These and other aspects of the invention will be further elucidated anddescribed with reference to the drawing, in which

FIG. 1 is a flowchart illustrating processing steps of a method ofenabling a device to compute an exponentiation;

FIG. 2 is a diagram illustrating data flow and processing meansoperating on the data;

FIG. 3 is a flowchart illustrating a method of key generation;

FIG. 4 is a flowchart illustrating a method of message encryption;

FIG. 5 is a flowchart illustrating a method of decryption of ciphertext;

FIG. 6 is a flowchart illustrating a method of white-boxing anexponentiation α^(k) ² ;

FIG. 7 is a flowchart illustrating a method of white-boxing anexponentiation α^(−k) ¹ ;

FIG. 8 is a flowchart illustrating a method of obtaining a white-boximplementation of an encryption algorithm;

FIG. 9 is a flowchart illustrating a method of obtaining a white-boximplementation of a decryption algorithm; and

FIG. 10 illustrates an embodiment.

DETAILED DESCRIPTION OF EMBODIMENTS

A white-box cipher is a block cipher which is well suited for awhite-box implementation of a cryptographic algorithm, i.e., a softwareimplementation for which it is difficult for an attacker to extract thecryptographic key that is used. Such white-box implementations are knownto exist for symmetric block ciphers, such as AES and 3DES. However, itwould also be interesting to white-box asymmetric ciphers, such as RSAand ElGamal. A typical operation in asymmetric ciphers is anexponentiation y^(x), where y and x can both be variable and constant.In some block ciphers, the base y is more or less constant whereas theexponent x varies more often. When white-boxing such block ciphers (or,more generally, algorithms), it is advantageous if it the exponent x canbe efficiently changed. Also, it would be advantageous if animplementation of y^(x) were provided in which the value of x may behidden. In this text an approach to white-boxing block ciphers (or, moregenerally algorithms) is presented that has these advantages.

The white-box implementation presented herein may be made larger than astandard implementation of the exponentiation. Furthermore, it isdifficult for an attacker to make the implementation smaller. Thisproperty can be advantageous in preventing unauthorized copying ordistribution of the software implementation.

WO 2007/105126 discloses a method and system for including a givenbinary string in a white-box implementation of a symmetric block ciphersuch as AES and DES. This string inclusion can be used to bind theimplementation to a platform or to forensically watermark theimplementation. The white-box implementation as described in thisinvention allows to include given binary strings into the implementationof an exponentiation operation.

As an advantage of a white-box implementation, Chow et al. mention thata white-box implementation can effectively be bound to the remainder ofthe program. More precisely, by applying external encodings to the inputvalues and/or output values of an algorithm, it is prevented that anattacker can easily understand and/or extract the complete white-boximplementation from a software program. Also this technique can beapplied to the white-box implementation of exponentiation as disclosedin this description.

In this description, an approach is disclosed for hiding for example thevalue x in an exponentiation y^(x). Herein, y may be constant and x maybe variable, however this is not a limitation. This value x remainshidden, even for an attacker who has full control over and full accessto the implementation of the program that performs the exponentiation.

FIG. 1 is a flowchart illustrating processing steps according to amethod of enabling a device to compute an outcome of an exponentiation.C^(x) having a base C and/or an exponent x. FIG. 2 is a diagramillustrating the flow of data and the entities and processing meansoperating on these data. The method of FIG. 1 will be described withreference also to FIG. 2. A method of enabling an entity 250 to computean outcome of an exponentiation C^(x) having a base C and/or an exponentx may be implemented, for example, within an entity 200. Preferably theentity 200 communicates via the entity 250 via a digital communicationsnetwork such as the Internet, or using digital communication via cable,air, and/or satellite. Alternatively digital messages are distributedvia e.g. removable media such as CD, DVD, flash memory USB-stick. Theentity 200 may be a system which provides services to one or moreentities 250. Such a system may be a single server computer. However,the entity 200 may be a system comprising various computers and/ordevices. The entity 200 may also be implemented on a peer devicecommunicating with a peer entity 250, wherein the peers wish to exchangeinformation in a secure way. The entity 250 may be a device or asoftware application suitable for being executed on a device. Such adevice may be a personal computer (PC), laptop, personal digitalassistant (PDA), set-top box, digital video recorder, gaming console, orthe like. Suitable applications include media players, web browsers, andsoftware capable of performing secure transactions. The entity 250 maybe arranged for processing multimedia content, e.g. audio and/or videocontent. The entity 250 may comprise a cryptographic unit for decryptingaudio and/or video content using exponentiation disclosed in thisdocument. The entity 250 may also or alternatively be arranged forperforming other kinds of cryptographic operations such asfingerprinting or signing of messages.

The method comprises the step 102 of establishing the base C of theexponentiation and the exponent x of the exponentiation. These values Cand x may follow from the context to which the method is applied. Forexample, C and x may be dependent on the particulars of a cryptographicalgorithm and/or the key used in such an algorithm. In particular inasymmetric key cryptographic algorithms, an exponentiation usually playsa prominent role. The values of C and x may be retrieved from a databaseor may be derived from data stored in a database, e.g. a key for a userstored in a database may form the input to compute C and/or x. Also, thevalues of C and/or x may be fixed, whereas in other cases C and/or x maybe variable. The values of C and/or x may be stored in a memory in theentity 200.

The method comprises the step 104 of establishing a plurality of valuesλ_(i), for i=1, 2, . . . , r, wherein r is an integer and r≧2. Thesevalues λ_(i) are used later in the method to obfuscate the values of Cand x. The values may be chosen randomly from a predetermined set. Alsothe number of values r may be chosen randomly, although the security maybe increased by choosing a larger value of r. The plurality of valuesλ_(i) may be stored at least temporarily in a memory of the entity 200.

The method comprises the step 106 of establishing a plurality of valuesω_(i), for i=1, 2, . . . , r, satisfying ω_(i)=C^(λ) ^(i) . These valuesω_(i) are thus dependent on the values λ_(i) and on C. They may becomputed by an exponentiation known in the art. Such an exponentiationoperation may be implemented in a computational unit 202 of entity 200,which may comprise for example computer program instructions and/orelectronic circuitry.

The method comprises the step 108 of establishing a plurality of valuesφ_(i), for i=1, 2, . . . , r, satisfying

$x = {\sum\limits_{i = 1}^{r}\; {\lambda_{i}{\phi_{i}.}}}$

These values φ_(i) are thus dependent on the values λ_(i) and on x. Theymay be computed for example by using Gaussian elimination or anothermethod of solving linear equations known in the art. This method stepmay be implemented in another computational unit 204 of entity 200.

The method comprises the step 110 of providing the entity 250 withinformation indicative of the plurality of values ω_(i). The methodcomprises the step 112 of providing the entity 250 with informationindicative of the plurality of values φ_(i). In steps 110 and 112, thecommunications link and/or removable media referred to above may beemployed. Alternatively, some of the values may be provided byhard-coding in the entity 250. For example, if the entity 250 is adevice, the values ω_(i) might be stored, during manufacture time, in aread-only memory of the device. If the values should be replaced fromtime to time, the values may be stored in firmware, for example. Thevalues ω_(i) may also be hard-coded in a software application. Thevalues φ_(i) may also be stored (semi)permanently in the entity 250,however, in many applications x changes very often (depends for exampleon a message to be transmitted) and in such a case it may be moreefficient to transmit the values via a network and store them in arandom access memory in the entity 250.

The method comprises the step 114 of computing, by means of the entity250,

$P = {\prod\limits_{i = 1}^{r}\; {\omega_{i}^{\phi_{i}}.}}$

This step is implemented in the entity 250 and replaces the computationof C^(x) in the device. Because C and x are not exposed in step 114, theentity 250 is capable of computing the value of C^(x) without gainingknowledge of C and/or x. This step 114 is implemented in a computationalunit 252. Computational unit 252 may comprise a software module or anelectric circuit for performing the step 114.

The method may be used, for example, with a fixed C and variable x. Tothis end, step 104 of establishing a plurality of values λ_(i) maycomprise establishing a set V of values to be used as the exponent x andestablishing a plurality of sets of values W₁, W₂ . . . , W_(r) suchthat

$V \subseteq {\left\{ {\sum\limits_{i = 1}^{r}\; {\lambda_{i} \cdot w_{i}}} \middle| {\left( {w_{1},w_{2},\ldots \mspace{14mu},w_{r}} \right) \in {W_{1} \times W_{2} \times \ldots \times W_{r}}} \right\}.}$

Step 108 of establishing the plurality of values φ_(i) may compriseselecting the values φ_(i) such that φ_(i)∈W_(i), for i=1, 2, . . . , r.To use different values of x∈V, the following steps are performed inrespect of these different values of x∈V: step 108 of establishing theplurality of values φ_(i), step 112 of providing the device with theinformation indicative of the plurality of values φ_(i), and step 114 ofcomputing P by means of the device, in respect of a plurality ofdifferent values x∈V. Since

${V \subseteq \left\{ {\sum\limits_{i = 1}^{r}\; {\lambda_{i} \cdot w_{i}}} \middle| {\left( {w_{1},w_{2},\ldots \mspace{14mu},w_{r}} \right) \in {W_{1} \times W_{2} \times \ldots \times W_{r}}} \right\}},$

any value x∈V can be expressed by properly selecting the φ_(i)∈W_(i)such that

$x = {\sum\limits_{i = 1}^{r}\; {\lambda_{i}{\phi_{i}.}}}$

Preferably, C is an element of a multiplicative group G, wherein C is oforder q, which means that q is a smallest positive integer such thatC^(q)=1. Also, preferably, C and G are selected such that q issufficiently large. In particular q is sufficiently large if it makesthe computation of ^(C)log x sufficiently difficult to compute. Whendetermining the extend of sufficiently difficult to compute, the amountof computational resources an attacker may have available should betaken into account. For example, q is a 1024-bit number, e.g. q>2¹⁰²³.

In an embodiment, W_(i)={0,1}, for i=1, 2, . . . , r. This is a binarysolution that may make the method especially easy to realize and/or moreefficient, for example because it is easier to find appropriate valuesof φ_(i).

In an embodiment, the key of a cipher is established, for example byrandom generation or by retrieving the key from a database, and the keyshould be used by entity 250. However, it is undesirable to give theentity 250 explicit knowledge of the key. The method then comprises thatthe entity 200 establishes the base C in dependence on the key andcomputes and provides the appropriate values of ω_(i). The messages areencrypted and any occurrence of an exponent x in the message, for whichthe entity 250 needs to compute C^(x) to decrypt the message, isreplaced by the appropriate values of φ_(i). The resulting, encryptedmessage is provided to the entity 250. This allows the entity 250 to usethe base C and exponent x in an exponentiation operation of the cipherwithout obtaining knowledge of the key, in particular without learningthe value of C.

There may be a plurality of entities 250 that should perform theexponentiation C^(x) with the same base C and the same exponent x.However, it may be desirable that each different entity 250 can onlyprocess data intended for that particular entity 250. Also, it may bedesirable that each entity 250 is uniquely identifiable by means of thesoftware code and/or data comprised or stored in the entity 250. To thatend, the method may further comprise selecting different pluralities ofvalues λ_(i) and/or different values r. These different pluralities ofvalues may then be used in respect of different devices but with thesame values of C and x.

The entity 250 has an input, e.g. via the communications link orremovable media, for receiving information indicative of at least partof the plurality of values ω_(i) and/or information indicative of atleast part of the plurality of values φ_(i). A part or all of thesepluralities of values may be stored in the entity 250, for example bymeans of a one-time configuration procedure or by hard-wiring atmanufacture-time.

The part of the pluralities of values ω_(i) and φ_(i) which is notstored in the entity 250 beforehand may be provided by the entity 200.Alternatively, part or all of the values ω_(i) and φ_(i) is provided bya value provider 254. Value provider 254 accesses for example a hardwareidentifier of the device, a biometric measurement, and/or a passwordentered by the user. Value provider 254 then uses the resulting data aspart or all of the values ω_(i) and φ_(i) either directly or afterperforming a transformation on the data.

The entity 250 may comprise a cryptographic unit for performing acryptographic operation according to an asymmetric cipher, wherein thecryptographic operation involves the exponentiation C^(x), wherein themeans for performing the cryptographic operation is arranged for using Pas the result of the exponentiation C^(x).

The entity 250 may have an input arranged for receiving encryptedinformation from entity 200 indicative of at least part of the pluralityof values ω_(i) and/or at least part of the plurality of values φ_(i).In that case a cryptographic unit is provided for decrypting theencrypted information to obtain, respectively, the at least part of theplurality of values ω_(i) and/or the at least part of the plurality ofvalues φ_(i).

FIG. 10 shows a block diagram of a hardware unit that may act as theentity 250. The figure shows a processor 1002, a memory 1006 capable ofstoring a computer program product comprising instructions for causingthe processor 1002 to perform the at least one of the methods disclosedherein. The unit comprises a user input 1004, e.g. buttons, touchscreen, or remote control device and a display 1012 to providefacilities necessary for user interaction, e.g. starting a movie that isprotected using digital rights management, or composing and transmittingan encrypted and/or digitally signed e-mail message. The display 1012may also be used (in combination with audio speakers) to play video. Thecommunications port 1008 connects to a digital network as discussedabove, and/or a reader/writer of removable media 1010 is provided.

A similar hardware scheme may also be used to implement the entity 200.This diagram is only an example of a suitable hardware architecture foreither entity 200 or 250, other architectures may be equally suitable.Entity 200 may be a server system comprising a plurality of servers,wherein each server may have an architecture similar to FIG. 10. It isnot uncommon that key generation (which results in base C) and messageencryption (which results in exponent x) occur on different servers ofthe server system of entity 200. It can be practical to compute thevalues of ω_(i) on the same server on which the key and/or base C isgenerated. Likewise, it can be practical to compute the values φ_(i) onthe same server on which the message is encrypted and/or on which theexponent x is generated. Generation of the values of λ_(i) may beperformed, for example, on the server whose values need updating theleast frequently: the server generating the key and/or the base C.However, the tasks may be divided in any way over one or more computers.

Let H be a group of order n, although the invention is not limited togroups. Let C∈H be an element from that group, and x a variable over asubset V of the integer numbers. In the following it is shown how tohide the precise values of C and/or x from a white-box attack whencomputing the value

C^(x).  (1)

Let λ₁, λ₂, . . . , λ_(r) be a collection of integer values and let W₁,W₂, . . . , W_(r) be sets of integers. Furthermore, let these valuesspan V in the following way:

$V \subseteq {\left\{ {\sum\limits_{i = 1}^{r}\; {\lambda_{i} \cdot w_{i}}} \middle| {\left( {w_{1},w_{2},\ldots \mspace{14mu},w_{r}} \right) \in {W_{1} \times W_{2} \times \ldots \times W_{r}}} \right\}.}$

Furthermore, for an element v from V define f_(i)(v) as the factor w_(i)with which λ_(i) may be multiplied to obtain v, i.e.,

$v = {\sum\limits_{i = 1}^{r}\; {\lambda_{i} \cdot {{f_{i}(v)}.}}}$

For each i with 1<=i<=r, define ω_(i)=C^(λ) ^(i) .

Then, (1) may be computed as

$\begin{matrix}{\prod\limits_{i = 1}^{r}\; {\omega_{i}^{f_{i}{(x)}}.}} & (2)\end{matrix}$

Note that if C^(x) is implemented in this way, the implementation usesf(x)=(f₁(x), f₂(x), . . . , f_(r)(x)) as input instead of x. That is,the input x is encoded. In other words, the input f(x) represents x, butit is difficult to derive the actual value of x from f(x). By providingf(x) and the ω_(i) to the white-box implementation, the white-boximplementation is enabled to compute C^(x) using formula (2). Because itis not necessary to provide x explicitly, the value of x can remainhidden for the attacker of the white-box implementation.

It can be shown that if the values λ_(i) are unknown to an attacker,then it may be difficult for an attacker to derive the values C and x.Furthermore, if the values λ_(i) are unknown and C is known, then it isstill difficult to derive x, in particular if H and/or C are selectedsuch that it is difficult to compute ^(C)log P. For example, if H is asufficiently large cyclic group and if C is a generator of this group,it is difficult to compute the logarithm ^(C)log P. The logarithm isalso difficult to compute if the order of C is sufficiently large,wherein the order of C is the smallest positive integer q for whichC^(q)=1. Other instances where it is difficult to compute the logarithmis difficult to compute will be apparent to the person skilled in theart, and this property may be used to advantage to apply theexponentiation according to the method presented herein.

Besides hiding the precise value of x in (1), the proposed white-boximplementation of an exponentiation has the property that it allows toinclude a binary string into the parameters. For example, by changingthe value λ_(i), the value ω_(i) changes as well. This property may beused for including a particular binary string (to be derived from e.g. ahardware identifier, or a portion of computer executable code) in atleast one of the values ω_(i). This would allow a white-boximplementation in which only some of the ω_(i) are provided to thewhite-box implementation, e.g. via a secure server, and at least part ofat least one of the ω_(i) are extracted from the execution environmentby the white-box implementation. This would allow to provide a set ofω_(i) that can only be used by the target execution environment and thatis useless outside the execution environment for which the ω_(i) wereintended.

Also, it is possible to bind the white-box implementation of theexponentiation operation to the surrounding program by letting thesurrounding program receive values f′(x) that have been transformedaccording to a function f′ for some λ′₁, λ′₂, . . . , λ′_(t). Thesurrounding program then transforms the received values f′(x) intocorresponding values f(x) based on the values λ₁, λ₂, . . . , π_(r) (tneed not be equal to r), and performs the exponentiation operation basedon the latter values f(x). More generally, the input to the white-boximplementation may comprise some encoded version g(x) of x, wherein thewhite-box implementation transforms g(x) into f(x) before applying theexponentiation. An attacker then not only needs the white-boximplementation, but also this transformation, in order to obtaininformation about the exponent x and/or base C. The white-boximplementation can also be bound to the surrounding program bymultiplying one or more values ω_(i) by some secret value and by undoingthis operation somewhere else in the program.

Hereinafter, a detailed embodiment will be disclosed. This embodiment isbased on a generalization of the ElGamal public key cipher. The ElGamalpublic key cipher is known in the art. Briefly, it can be described asfollows.

Key Generation:

Select a cyclic group G of order n with generator α. An example of sucha group is the multiplicative group of integers modulo a large prime p.

Select a random integer α with 1≦α≦n−1 and compute the group elementα^(a).

Public key: α, α^(a)

Private key: α

Encryption of Message m∈G:

Select a random integer k with 1≦k≦n−1 and compute the group elementsγ=α^(k) and δ=m·(α^(a))^(k).

The ciphertext is given by (γ,δ).

Decryption of Ciphertext (γ,δ):

Compute γ^(−a).

Message m is given by γ^(−a)·δas γ^(−a)·δ=(α^(k))^(−a)·m·(α^(a))^(k)=m.

FIGS. 3-5 illustrate an embodiment of the invention. The Figuresillustrate a white-box implementation of an asymmetric cipher. Moreparticularly, it illustrates a white-box implementation of ageneralization of the ElGamal public key cipher. However, thisembodiment is provided as an example only. The invention is not limitedto either ElGamal or asymmetric ciphers. As indicated, in thisembodiment, a white-box implementation of a generalization of ElGamal isdisclosed. This generalization, however, not necessarily affects theblack-box security of the cipher, i.e., the cipher is believed to be atleast as secure as the original ElGamal block cipher. The generalizedElGamal cipher is defined as follows.

Key Generation (Step 300 in FIG. 3):

Select a cyclic group G of order n with generator α (step 302)

Select random integer α with 1≦α≦n−1 and compute the group elementsα^(a) (step 304).

Select a function g from G to {0, 1, 2, . . . , n−1} (step 306). Inorder to enable a strong white-box implementation the function g neednot be bijective, but its range should be large, preferably.

Public key: α, α^(a), g

Private key: α

The public key and private key are stored in step 308.

Encryption of Message m∈G (Step 400 in FIG. 4):

Select a random integer k₁ with 1≦k₁≦n−1, and compute the group elementγ=α^(k) ¹ (step 402).

Define k₂=g(γ) (step 404). If k₂=0, then select a different k₁ (step406).

Compute the group element γ=m·(α^(a))^(k) ^(i) ·α^(k) ² (step 408).

The ciphertext is given by (γ,δ) (step 410).

Decryption of Ciphertext (γ,δ) (500 in FIG. 5):

Compute k₂=g(γ). (step 502)

Compute γ^(−a) and α^(−k) ² (steps 504 and 506, respectively).

Message m is given by γ^(−a)·α^(−k) ² ·δ (step 508).

It is possible to derive white-box implementations of the exponentiationoperations α^(k) ² (step 408) and α^(−k) ² (step 506) in which the valuek₂ is hidden.

FIG. 6 illustrates a way of white-boxing the exponentiation a α^(k) ²(step 408). FIG. 7 illustrates a way of white-boxing the exponentiationα^(−k) ² (step 506). These ways of white-boxing are non-limitingexamples only. The exponentiation operation α^(k) ² will be describedfirst.

Let m=┌log₂┐ be an estimate of the length of a bit string providing abinary representation of a number between 0 and n−1 (step 604).

Define values and λ₁, λ₂, . . . , λ_(r) such that each value in therange of k₂ (step 606), i.e., each value between 1 and n−1, can bewritten as

$\sum\limits_{i = 1}^{r}\; {w_{i} \cdot \lambda_{i}}$

with (w₁, w₂, . . . , w₂)∈W₁×W₂× . . . ×W_(r). This holds, for example,for m=r, W_(i){0,1} and λ_(i)=b·2^(i), where b is a randomly selectedinteger between 1 and n−1. This may be appreciated by observing that iffunction f(x) is defined as the linear function f(x)=b⁻¹x and iff_(i)(x) is the i^(th) bit of f(x), then

$x = {\sum\limits_{i = 1}^{m}{\lambda_{i} \cdot {f_{i}(x)}}}$

for an arbitrary x.

Define ω_(i)=α^(−λ) ^(i) and compute α^(k) ² by

$\prod\limits_{i = 1}^{m}\omega_{i}^{f_{i}{(k_{2})}}$

(step 608). Hence, the white-box implementation of the exponentiationoperation has as an input (step 602) the encoded version f(k₂)=b⁻¹k₂ ofk₂ and it returns α^(k) ² (step 610).

FIG. 7 illustrates a way to white-box the exponentiation α^(−k) ² . Thisis intended to be a non-limiting example only. To distinguish from theabove white-box implementation, different notation is used: μ_(i) isused instead of λ_(i) and g is used instead of f. The sets W_(i) may bethe same for both white-box implementations, i.e., {0,1}.

Define μ_(i)=c·2^(i) for a randomly selected integer c between 1 and n−1(step 704). Furthermore, define the linear function g(x)=c⁻¹x and letg_(i)(x) denote the i^(th) bit of g(x) (step 706). From that it followsthat any relevant value of x may be expressed as

$x = {\sum\limits_{i = 1}^{m}{\mu_{i} \cdot {{g_{i}(x)}.}}}$

Define υ_(i)=α^(−μ) ^(i) and compute α^(−k) ² by

$\prod\limits_{i = 1}^{m}v_{i}^{g_{i}{(k_{2})}}$

(step 708). Hence, the white-box implementation has as input g(k₂)=c⁻¹k₂(step 702) and returns α^(−k) ² (step 710).

Using these two white-boxed exponentiation operations, it is possible tospecify a white-box implementation of the encryption and decryptionoperations of the generalized ElGamal cipher, for example.

FIG. 8 illustrates an example of how to obtain a white-boximplementation of the encryption algorithm.

Select a random integer k₁ with 1≦k₁≦n−1 (step 802), and compute thegroup element γ=α^(k) ¹ in the standard way (i.e., non-white-boxed, step804). However, a white-boxed implementation may be used as well.

It holds that γ=ƒ(k₂) or, equivalently, k₂=ƒ⁻¹(γ), although these valuesneed not be computed. Herein, ƒ⁻¹ corresponds to the function g used insteps 404 and 502 above. If γ=0 (which is equivalent to k₂=0 as g isbijective and linear), then select a different k₁ (step 806).

The value (α^(a))^(k) ¹ is computed in the standard way (i.e.,non-whiteboxed, step 808). However, a white-boxed implementation may beused as well.

The value α^(k) ² is computed via

$\prod\limits_{i = 1}^{m}\omega_{i}^{\gamma_{i}}$

(step 810). Note that γ_(i)=ƒ_(i)(k₂).

Compute the group element δ=m·(α^(a))^(k) ¹ ·α^(k) ² (step 812), usingthe result of step 808.

The ciphertext is given by (γ,δ) (step 814).

FIG. 9 illustrates how to obtain a white-box implementation of thedecryption algorithm.

The value c⁻¹·b is given (step 902). This value is used to determine thecomposed function g∘ƒ⁻¹(x)=c⁻¹·b·x (step 904).

It uses this composed function to compute g(k₂)=g∘ƒ⁻¹(γ). (step 906)

The value γ^(−a) is computed in the standard way (i.e., non-whiteboxed,step 908). However, a white-boxed implementation may be used as well.

The value α^(−k) ² is computed via

$\prod\limits_{i = 1}^{m}v_{i}^{g_{i}{(k_{2})}}$

(step 910).

Message m is provided by γ^(−a)·α^(k) ² ·δ (step 912).

In a white-box implementation, the key may be hidden, e.g. embedded inthe implementation, and it may not be easy to replace the key. Thewhite-box implementation described above in respect of a generalizedversion of ElGamal may be constructed in such a way that the value a andthe functions g and f are not easily replaced. Moreover, it is easy toconstruct the white-box implementation described above in respect of ageneralized version of ElGamal in such a way that the value “α” canstill be varied easily. In such a case, the key generation of the blockcipher, described in respect of FIG. 3, is preferably arranged asfollows:

Values α, g and f are fixed.

Public key: α, α^(a)

Private key: α

By changing the value λ_(i) (μ_(i)), in general the value ω_(i) (υ_(i))may change as well. Hence, if a set of m devices is given and if it isdesired to bind the proposed white-box implementation to each of thesedevices, then this may be achieved in the following way. For some i,1≦i≦r, choose m different respective values of λ_(i) (μ_(i)), computethe m respective associated values ω_(i) (υ_(i)) and assign those mrespective associated values ω_(i) (υ_(i)) to the respective m devices,for example by setting a hardware identifier of the respective devicesto (or in dependence on) the respective associated values ω_(i) (υ_(i)).

To include a given string in the white-box implementation, and moreparticularly in the representation of ω_(i) and/or υ_(i) on a device,one may proceed as follows. Suppose that one intends to include into theimplementation a 32-bit bit string s. More particularly, one would liketo use this bit string as representation of ω_(i) (υ_(i)). Then theprobability that the first 32 bits of, say, ω_(l) (υ_(l)) are given by swill probably be around 1/2³² if λ_(i) (μ_(i)) is randomly selected.Hence, by using a trial-and-error approach, one may find after probablyat most 2³² attempts an implementation in which the first 32 bits ofω_(l) (υ_(l)) match bit string s. Such a feature may be used, orexample, to bind the data indicative of ω_(l) and/or υ_(l) to aparticular target device, by leaving out some string known to be presenton the target device, and preferably not present on most or all otherdevices. For example, some string could be based on the MAC address,hard disk ID, or another kind of hardware identifier. Also, the stringcould be based on machine name. To bind the data indicative of ω_(i)and/or υ_(l) to a particular person, some string could be based on auser ID or password or a biometric measurement, for example. Byincluding that string to the white-box implementation as indicated, thewhite-box implementation could not be easily used on another device orby another person.

It will be appreciated that the invention also extends to computerprograms, particularly computer programs on or in a carrier, adapted forputting the invention into practice. The program may be in the form ofsource code, object code, a code intermediate source and object codesuch as partially compiled form, or in any other form suitable for usein the implementation of the method according to the invention. It willalso be appreciated that such a program may have many differentarchitectural designs. For example, a program code implementing thefunctionality of the method or system according to the invention may besubdivided into one or more subroutines. Many different ways todistribute the functionality among these subroutines will be apparent tothe skilled person. The subroutines may be stored together in oneexecutable file to form a self-contained program. Such an executablefile may comprise computer executable instructions, for exampleprocessor instructions and/or interpreter instructions (e.g. Javainterpreter instructions). Alternatively, one or more or all of thesubroutines may be stored in at least one external library file andlinked with a main program either statically or dynamically, e.g. atrun-time. The main program contains at least one call to at least one ofthe subroutines. Also, the subroutines may comprise function calls toeach other. An embodiment relating to a computer program productcomprises computer executable instructions corresponding to each of theprocessing steps of at least one of the methods set forth. Theseinstructions may be subdivided into subroutines and/or be stored in oneor more files that may be linked statically or dynamically. Anotherembodiment relating to a computer program product comprises computerexecutable instructions corresponding to each of the means of at leastone of the systems and/or products set forth. These instructions may besubdivided into subroutines and/or be stored in one or more files thatmay be linked statically or dynamically.

The carrier of a computer program may be any entity or device capable ofcarrying the program. For example, the carrier may include a storagemedium, such as a ROM, for example a CD ROM or a semiconductor ROM, or amagnetic recording medium, for example a floppy disc or hard disk.Further the carrier may be a transmissible carrier such as an electricalor optical signal, which may be conveyed via electrical or optical cableor by radio or other means. When the program is embodied in such asignal, the carrier may be constituted by such cable or other device ormeans. Alternatively, the carrier may be an integrated circuit in whichthe program is embedded, the integrated circuit being adapted forperforming, or for use in the performance of, the relevant method.

Any reference to “random numbers” should be interpreted as includingpseudo-random numbers such as those generated by deterministicalgorithms.

It should be noted that the above-mentioned embodiments illustraterather than limit the invention, and that those skilled in the art willbe able to design many alternative embodiments without departing fromthe scope of the appended claims. In the claims, any reference signsplaced between parentheses shall not be construed as limiting the claim.Use of the verb “comprise” and its conjugations does not exclude thepresence of elements or steps other than those stated in a claim. Thearticle “a” or “an” preceding an element does not exclude the presenceof a plurality of such elements. The invention may be implemented bymeans of hardware comprising several distinct elements, and by means ofa suitably programmed computer. In the device claim enumerating severalmeans, several of these means may be embodied by one and the same itemof hardware. The mere fact that certain measures are recited in mutuallydifferent dependent claims does not indicate that a combination of thesemeasures cannot be used to advantage.

1-16. (canceled)
 17. A method for computation of an outcome of anexponentiation C^(x) having a base C and an exponent x by means of awhite-box implementation of the exponentiation, the method comprising:receiving information indicative of at least a part of a plurality ofvalues ω_(i) and at least a part of information indicative of aplurality of values φ_(i), the plurality of values ω_(i) satisfyingω_(i)=C^(λ) ^(i) , the plurality of values φ_(i), satisfying${x = {\sum\limits_{i = 1}^{r}{\lambda_{i}\phi_{i}}}},$ i=1, 2, . . ., r ; and encrypting a message to obtain a ciphertext and/or decryptingthe ciphertext to obtain the message, by using$P = {\prod\limits_{i = 1}^{r}\omega_{i}^{\phi_{i}}}$ wherein P=C^(x),thereby hiding at least one of the precise value of the base C andexponent x from a white-box attack.
 18. The method according to claim17, wherein the base C is a ElGamal public key.
 19. The method accordingto claim 17, wherein encrypting a message m comprises: generating aciphertext including calculating α^(k2) by using P, k2 corresponding tox, α being associated with the key.
 20. The method according to claim19, wherein generating a ciphertext comprises: generating the ciphertextgiven by (γ, δ) by using P, γ=α^(k1), δ=m·(α^(a))^(k1)·α^(k2) α beingassociated with a public key g being a function, α being associated witha private key, 1≦k1≦n−1, k2=g(γ).
 21. The method according to claim 17,wherein decrypting a ciphertext comprises: decrypting a ciphertextincluding calculating α^(k2) by using P, k2 corresponding to x, α beingassociated with the key.
 22. The method according to claim 21, whereindecrypting a ciphertext comprises: decrypting the ciphertext given by(γ, δ) by using P to obtain the message m given by γ^(−a)·α^(−k2)·δ,γ=α^(k1), δ=m·(α^(a))^(k1)·α^(k2), a being associated with a public key,g being a function, α being associated with a private key, 1≦k1≦n−1,k2=g(δ).
 23. A non-transitory computer readable storage storing aprogram comprising instructions, which when executed by a processor,causes the processor to perform computation of an outcome of anexponentiation C^(x) having a base C and an exponent x by means of awhite-box implementation of the exponentiation, comprising: receiving adevice with information indicative of at least a part of a plurality ofvalues ω_(i) and at least a part of information indicative of aplurality of values φ_(i), the plurality of values ω_(i) satisfyingω_(i)=C^(λ) ^(i) , the plurality of values φ_(i) satisfying${x = {\sum\limits_{i = 1}^{r}{\lambda_{i}\phi_{i}}}},$ i=1, 2, . . ., r; and encrypting a message m to obtain a ciphertext and/or decryptingthe ciphertext to obtain the message m, by using$P = {\prod\limits_{i = 1}^{r}\omega_{i}^{\phi_{i}}}$ wherein P=C^(x),thereby hiding at least one of the precise value of the base C andexponent x from a white-box attack.
 24. A method for computation of anoutcome of an exponentiation C^(x) having a base C and an exponent x bymeans of a white-box implementation of the exponentiation, the methodcomprising: establishing a plurality of values λ_(i), for i=1, 2, . . ., r, establishing a plurality of values ω_(i) for i=1, 2, . . . , r,satisfying ω_(i)=C^(λ) ^(i) , C being associated with a key of a cipher,establishing a plurality of values φ_(i), for i=1, 2, . . . , r,satisfying ${x = {\sum\limits_{i = 1}^{r}{\lambda_{i}\phi_{i}}}};$ andproviding a device with information indicative of at least a part of theplurality of values ω_(i) and at least a part of information indicativeof the plurality of values φ_(i) to calculate$P = {\prod\limits_{i = 1}^{r}\omega_{i}^{\phi_{i}}}$ wherein P=C^(x),thereby hiding at least one of the precise values of the base C andexponent x from a white-box attack.
 25. The method according to claim24, wherein the base C is a ElGamal public key.
 26. The method accordingto claim 24, wherein encrypting a message m comprises: generating aciphertext including calculating α^(k2) by using P, k2 corresponding tox, α being associated with the key.
 27. The method according to claim26, wherein generating a ciphertext comprises: generating the ciphertextgiven by (γ, δ) by using P, γ=α^(k1), δ=m·(α^(a))^(k1)·α^(k2), α beingassociated with a public key g being a function, α being associated witha private key, 1≦k1≦n−1, k2=g(γ).
 28. The method according to claim 24,wherein decrypting a ciphertext comprises: decrypting a ciphertextincluding calculating α^(−k2) by using P, k2 corresponding to x, α beingassociated with the key.
 29. The method according to claim 28, whereindecrypting a ciphertext comprises: decrypting the ciphertext given by(γ, δ) by using P to obtain the message m given by γ^(−a)·α^(−k2)·δ,γ=α^(k1), δ=m·(α^(a))^(k1)·α^(k2), α being associated with a public key,g being a function, α being associated with a private key, 1≦k1≦n−1,k2=g(γ).
 30. The method according to claim 17, wherein the exponent x isvariable, and wherein establishing a plurality of values λ_(i)comprises: establishing a set V of values to be used as the exponent x,and a plurality of sets of values W₁, W₂ . . . , W_(r) such that$V \subseteq {\left\{ {{\sum\limits_{i = 1}^{r}{\lambda_{i} \cdot w_{i}}}{\left( {w_{1},w_{2},\ldots \mspace{14mu},w_{r}} \right) \in {W_{1} \times W_{2} \times \ldots \times W_{r}}}} \right\}.}$31. The method according to claim 30, wherein establishing the pluralityof values φ_(i) comprises: selecting the values φ_(i) such thatφ_(i)∈W_(i), for i 1, 2, . . . , r.
 32. The method according to claim24, wherein W_(i)={0,1}, for i=1, 2, . . . , r.
 33. The method accordingto claim 24, wherein C is of order q, q being a positive integer suchthat C^(x)=1.
 34. The method according to claim 17, comprising at leastone of: selecting different pluralities of values λ_(i) with respect tothe base C and the exponent x, to be used in respect of differentdevices; and selecting different values r with respect to the base C andthe exponent x, in respect of different devices.
 35. The methodaccording to claim 17, comprising at least one of: selecting wherein ris an integer and r≧2; generating the key; encrypting and/or decryptinginformation indicative of the plurality of values ω_(i) and informationindicative of the plurality of values φ_(i).
 36. A non-transitorycomputer readable storage storing a program comprising instructions,which when executed by a processor, causes the processor to performcomputation of an outcome of an exponentiation C^(x) having a base C andan exponent x by means of a white-box implementation of theexponentiation, comprising: establishing a plurality of values λ_(i),for i=1, 2, . . . , r, establishing a plurality of values ω_(i) for i=1,2, . . . , r, satisfying ω_(i)=C^(λ) ^(i) , C being associated with akey of a cipher, establishing a plurality of values ω_(i), for i1, 2, .. . , r, satisfying${x = {\sum\limits_{i = 1}^{r}{\lambda_{i}\phi_{i}}}};$ and providinga device with information indicative of at least a part of the pluralityof values ω_(i) and at least a part of information indicative of theplurality of values φ_(i) to calculate$P = {\prod\limits_{i = 1}^{r}\omega_{i}^{\phi_{i}}}$ wherein P=C^(x),thereby hiding at least one of the precise values of the base C andexponent x from a white-box attack.